So Many Businesses Leave It Until Too Late To Get Proper Cyber Security

August 25, 2014

Back in 2010, the Obama administrations initiated a top-to-bottom assessment of federal cyber security policies. The results, which were published in a report titled, “Cyberspace Policy Review,” sparked the creation of a federal cybersecurity office.

Initiation of new federal cyber security policies are being directed by a series of documents, also created as a result of the Cyberspace Policy Review. Among those is the National Initiative for Cybersecurity Education (NICE). Apart from directing how federal resources will be coordinated and tactical operation plans will be supported, NICE reflects the Whitehouse’s larger agenda for across-the-board cybersecurity education. NICE describes cybersecurity as “much more than technological solutions to technical problems; it is also highly dependent on educated users who are aware of and routinely employ sound practices when dealing with cyberspace.”

Now four years later, a few questions remain. Have White House cybersecurity education initiatives become widespread, standardized, and effective enough to have negated, or at least dulled imminent threats of cyber crime? That is perhaps too thorny and complex a question to fully address here. But the statistics on cybercrime tell a tale that is well … whatever the white-collar word is for grim.

In 2005 the U.S. Bureau of Justice released its first ever report on cybercrime attacks against businesses. Of the 7,818 business that participated in the study, 67 percent detected at least one incident of cybercrime that year. Greater than 80 percent of victimized businesses detected multiple incidents. Half of victimized businesses detected 10 or more incidents. Nearly 70 percent of cyber theft victims sustained losses of $10,000 or more, and cyber theft is just one cybercrime category. One third of victims of other types of cybercrime also suffer losses greater than $10,000 (now rivaling more traditional crime, soon to surpass).

In total, cybercrimes cost those businesses that participated in the study $867 million in 2005. And according to the U.S. Department of Justice, the majority of businesses did not report cybercrime attacks to law enforcement.

Compare those statistics to what is being reported from 2013. A recent study of 60 companies conducted by Ponemon Institute concluded that the average number of successful attacks experienced by those 60 companies averaged two per week, which would exceed 100 attacks annually. And the average annualized cost of cybercrime for those 60 businesses was $11.6 million. The range on that averages was pretty broad, but one interesting point was that smaller businesses tend to experience far greater per capita losses.

Admittedly, there are some important differences in the research models between these two studies, so the comparisons cannot be treated as precisely one-to-one. But particular differences notwithstanding, it appears to be fairly well established that in spite of widespread federal initiatives to allocate resources, implement tactical planning, and educate business entities that operate in cyberspace to “routinely employ sound practices when dealing with cyberspace,” cyber crime has become more widespread, and maybe more costly.

It seems doubtful that will come as shocking news to anyone. And yet there are still far too many businesses that are leaving it until it’s too late to get proper cyber security. What might be the rationale behind that? Let’s try to imagine it on a more local, personal scale.

Imagine that Hometown U.S.A. begins to see a rise in crime. Due to some pretty radical systemic and cultural changes, opportunistic crimes have become more convenient for those who are savvy to all the changes. So the mayor and the sheriff hold a town hall meeting where they promise Hometown citizens that they will be re-allocating some resources, reconsidering their old law enforcement models, and implementing some new tactics all while ramping up the number of law enforcement officers in the field.

At that point, as a born-and-bred Hometown citizen and card-carrying member of the Hometown Chamber of Commerce, would you stop locking the doors on your home or storefront and let your security rest solely on the shoulders of the mayor and the sheriff?

Probably not, but that is essentially what businesses that fail to implement proper cyber security from the outset are doing.